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ICO call for views on a direct marketing code 
of practice 


The Information Commissioner is calling for views on a direct 
marketing code of practice. 


The Data Protection Act 2018 requires the Commissioner to produce 
a code of practice that provides practical guidance and promotes 
good practice in regard to direct marketing. 


While direct marketing is an important and useful tool to help 
organisations engage with people in order to grow their business or 
to publicise and gain support for their causes, it can also be 
intrusive and have a negative impact on people if done badly. This 
can cause reputational damage to organisations and, in some cases, 
result in fines or other regulatory action for breaking data protection 
laws. 


So it is important that organisations ensure their marketing 
activities are compliant with data protection legislation (the General 
Data Protection Regulation and Data Protection Act 2018) and, 
where necessary, the Privacy and Electronic Communications 
Regulations 2003 (PECR). 


We have previously published detailed direct marketing guidance. 
The new code will build on that guidance and address the aspects of 
the new legislation relevant to direct marketing such as 
transparency and lawful bases for processing, as well as covering 
the rules on electronic marketing (for example emails, text 
messages, phone calls) under PECR. 


The European Union is in the process of replacing the current e- 
privacy law (and therefore PECR) with a new ePrivacy Regulation 
(ePR). However the new ePR is yet to be agreed and there is no 
certainty about what the final rules will be. Because of this we 
intend for the direct marketing code to only cover the current PECR 
rules until the ePR is agreed. Once the ePR is finalised and the UK 
position in relation to it is clear we will produce an updated version 
of the code which takes this into account as appropriate. 


This call for views is the first stage of the consultation process. The 
Commissioner is seeking input from relevant stakeholders, including 
trade associations, data subjects and those representing the 


Direct Marketing Code - Call for views 
20181112 v1.0 


Information Commissioners Office 


interests of data subjects. We will use the responses we receive to 
inform our work in developing the code. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Call for Views 
Engagement Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the call for views, please 
email the Direct Marketing Code team. 


Please send us your views by 24 December 2018. 


Privacy statement 


For this call for views we will publish responses received from 
organisations but will remove any personal data before publication. 
We will not publish responses from individuals. For more 
information about what we do with personal data please see our 


privacy notice. 
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uestions 


Q1 The code will address the changes in data protection 
legislation and the implications for direct marketing. What 
changes to the data protection legislation do you think we 
should focus on in the direct marketing code? 


1. We feel that there are a number of contradictions within the 
guidelines currently and we would appreciate these being 
ironed out. 

e Consent must be required for marketing, however 
there is widespread guidance from bodies such as 
DPN, DMA etc now suggesting that consent is not the 
only way, legitimate interests can be used to. 

e There is mention that PECR soft opt in may be 
applicable but it is lacking in detail offering room for 
different interpretations across the industry. 

e The guidelines specify that data providers need to 
have consent, it is increasingly apparent that many of 
them don’t have consent that meets the GDPR 
standards. Will you be updating the guidelines or are 
we to understand that these data providers are in 
breach? 

e The guidelines specify that data providers need to 
name the third parties who are using the data - again 
many don’t, so will this view be updated or are they 
all in breach? 


2. There are a number of terms that are open to interpretation 
and we would appreciate greater clarity of the definitions 
such as: ‘Intrusive’; ‘reasonable’ as we feel this lack of 
clarity leaves us vulnerable to risk. 


3. We would find it helpful if Legitimate Interest was included 
and referenced in this document, in particular clarification 
on Consent verses Legitimate Interest and we would 
appreciate some examples of what would be acceptable. 


4. It would be helpful helpful to have more detail on when 
PECR verses GDPR applies and how to apply them correctly. 
We understand that currently they have equal weighting. 


5. It would be helpful if there were additional guidelines 
provided to 3" party data brokers on what an acceptable 
privacy policy looks like and some guidelines around data 
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provider supply chains. 


6. It would be helpful to have additional guidelines in terms of 
due diligence a marketer should undertake when purchasing 
cold lists- this could be a supplement to the DPIA. This is 
because it seems apparent that recent fines around cold list 
have been imposed on the user and not the broker. Key 
areas we need clarity on are: 


- How frequently should the data be verified and validated 
with the data subject? 

- If historic soft consent was obtained, then what 
legitimate interests would be acceptable to use this data? 

- What should the data broker have provided the customer 
with in order to use their data for profiling - consent or 
just a statement in the privacy notice? 

- What does the data broker need to provide the customer 
in terms of details about who might use their data - 
named consent or category description? 

- How can the electoral roll be used compliantly within the 
regulation or is it exempt as it follows a different piece of 
legislation? 


See an example of our current approach attached below. 


| 1 
Microsoft Word 97 - 
2003 Document 


7. It would be helpful to have a section which clearly calls out 
which marketing activity falls outside of GDPR. I.e. where 
there is no profiling or specific targeting. Examples here 
might include: doordrops; partial address; advertising 
banners (non targeted); non- targeted social media. 


8. It would be helpful for the new code to cross-reference (as 
appropriate) the other guides available e.g. DMA LI and 
consent; DPN Guide to LI; DPN 3" party data. 


9. It would be helpful to have more detail on digital marketing 
- especially when working with Google Analytics, Facebook 
data etc. 


10. It would be helpful to get some clarity on whether 
profiling needs specific consent or just to be covered off in 
the privacy notice. 
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Q2 


Q3 


Apart from the recent changes to data protection legislation 
are there other developments that are having an impact on 

your organisation’s direct marketing practices that you think 
we should address in the code? 


Yes 
C] 


No 


If yes please specify 


PECR - as described above 


Q4 


Q5 


We are planning to produce the code before the draft ePrivacy 
Regulation (ePR) is agreed. We will then produce a revised 
code once the ePR becomes law. Do you agree with this 
approach? 


L] yes 


No 
é 
If no please explain why you disagree 1CO. 


Information Canimissioners Office 


There is a risk of further contradictions if they are not 
revised/issued in tandem. 


Q6 


Is the content of the ICO’s existing direct marketing guidance 
relevant to the marketing that your organisation is involved 
in? 
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Bee. 


Q7 If no what additional areas would you like to see covered? 


As referenced above, it would be useful for the areas of marketing 
which are not covered by GDPR to be called out clearly as 
exemptions in the new guidance including doordrops; partial 
address; advertising banners (non targeted); non- targeted social 
media. 


It would also be beneficial for PECR and the direct marketing 
guidelines to be co-produced to ensure minimum amount of 
contradictions 


There is a risk that we would inadvertently breach if things are 
not clear. 


It’s costing us a lot of money to get external view points on grey 
areas of this regulation. 


There is a risk that we are at a competitive disadvantage if we 
follow the regulation to the letter and our competition have a 
different interpretation. We have already lost significant market 
share and commercial value from taking a more cautious 
approach to GDPR than our competitors. 


Q8 Isit easy to find information in our existing direct marketing 


guidance? 
Yes 
[_] No 


Q9 If no, do you have any suggestions on how we should 
structure the direct marketing code? 
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There are several pages across the ICO’s website that impact 
marketing but are not linked together. It would be helpful to have 
some navigation that links these together. Eg 


There is a section on legitimate interests 

There is a section in charities that permits the use of DM under 
legitimate interests 

There is a section on the electoral roll 


İCO. 


Information Commissioner's Office 


Q10 Please provide details of any case studies or marketing 
scenarios that you would like to see included in the direct 
marketing code. 


It would be helpful to have case studies which cover the following: 
Google Analytics - best practice 

Data Sources - Using Electoral role for cold direct mailing 

List brokers - a case study of good due diligence 

Warm lists and acceptable use thereof (this area feels open to 
interpretations) 

Insurance (separate to financial services) 


Q11 Do you have any other suggestions for the direct marketing 
code? 
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About you 


Q12 Are you answering these questions as? 
A public sector worker 
A private sector worker 
A third or voluntary sector worker 
A member of the public 
A representative of a trade association 
A data subject 
An ICO employee 
Other 


x /UOUUOUOUUO 


If you answered ‘other’ please specify: 


A group of employees working in data protection and marketing at 
a large private organisation 


CO. 


Information Conimlssioners Office 


Q13 Please provide the name of the organisation that you are 
representing. 


Legal & General 


Q14 We may want to contact you about some of the points you 
have raised. If you are happy for us to do this please provide 
your email address: 


| L&G Insurance 
, L&G Insurance 
L&G Group 
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Thank you for taking the time to share your views and experience. 
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